Cybersecurity experts are sounding the alarm after a notorious hacker, operating under the alias “Solonik,” posted a massive database containing the private information of approximately 17.5 million Instagram users.
The breach, which surfaced on a dark web hacking forum earlier this week, is reportedly the result of an “API Leak” that took place in late 2024. This specific vulnerability allowed bad actors to bypass standard security measures and scrape user profiles on a global scale.
The leaked data is formatted in JSON and TXT files, making it incredibly easy for cybercriminals to search and exploit. Unlike typical leaks that only include usernames, this dump is dangerously detailed. The compromised information includes:
• Full Names and Usernames
• Verified Email Addresses
• Phone Numbers and User IDs
• Country and Partial Location Data
While the breach is classified as “scraping” rather than a direct hack into Meta’s core servers, the sheer volume of information suggests a major failure in Instagram’s privacy safeguards.
This level of data allows scammers to build comprehensive profiles on victims, making “social engineering” attacks much more convincing. Already, numerous users have reported a surge in unsolicited password reset notifications, signaling that the data is being actively used for exploitation.
The combination of exposed phone numbers and emails puts users at high risk for “SIM swapping” and sophisticated phishing scams where hackers pose as Instagram support.
By using these personal details to build trust, scammers can trick victims into handing over two-factor authentication (2FA) codes or account credentials. As of January 10, 2026, Meta has not issued a formal statement regarding this specific 17.5 million record dump.
To stay safe, cybersecurity researchers at Malwarebytes urge all Instagram users to take immediate action. Experts recommend moving away from SMS-based two-factor authentication and instead using an authenticator app. Users should also be on high alert for any unprompted emails or texts regarding their account security.
About the Author
